Hacking password illustration (By Santeri Viinamäki, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=53153294)
Sen. Maggie Hassan’s computer system was hacked in what prosecutors called the “largest data theft in Senate history,” yet there is no evidence she informed constituents who may be at risk of identity theft as a result — despite being one of the most vocal advocates for laws requiring hacking victims to do just that.
The New Hampshire Democrat’s former IT aide Jackson Cosko was sentenced to four years in prison June 19 for pilfering essentially all the office’s data by paying another Hassan staffer to help him break into the office late at night.
One of Hassan’s key issues in the Senate has been requiring companies to notify Americans whose personal information they fail to protect. Hassan sponsored a federal law to that end, but it has not passed.
A 2006 New Hampshire law enacted while Hassan was a state legislator requires “any person doing business in this state” to notify anyone whose private data they possess if their systems are hacked, exposing individuals’ data such as social security numbers. It is a crime to knowingly disregard the statute.
Constituents who came to Hassan for help called it a betrayal, while a government ethics expert said it was profound hypocrisy.
“What about all the data that was hijacked belonging to her constituents? This was an extensive theft of personal data. She should inform the victims of just what information was breached,” said Tom Anderson, a government ethics expert with the National Legal and Policy Center.
Like any senator’s office, Hassan’s office has the private information of huge numbers of constituents who seek help dealing with federal agencies. The topics are often personal issues such as social security payments, Medicare health issues, and immigration issues.
D.C.-based staff were also affected by the breach, and Virginia also has a similar law with text noting it applies to government entities, too.
Hassan herself has noted that on top of complying with the law to avoid penalties, companies have a moral obligation to protect Americans who trusted them with their data.
“There are state-by-state laws requiring private and public entities to notify individuals when there are security breaches of their personal identifying information. These laws represent the lowest amount of communication required. I’m interested in what companies are proactively doing,” she told Equifax’s CEO in November 2017.
A Hassan staffer caught Cosko in the act Oct. 2, 2018. Cosko tried to extort the witness into silence, according to his plea deal.
“I own EVERYTHING,” he said, rattling off sensitive data. “If you tell anyone I will leak it all.”
Eight days later, on Oct. 10, Hassan railed against Google for not informing people when it discovered a bug in the Google+ API that could potentially leak users’ information.
“It is really concerning to me that an incident affecting this many people didn’t have to be disclosed publicly,” Hassan said. “This incident further highlights the need for a closer look at how we might structure data breach notification in federal legislation.”
Hassan’s office provided no evidence to the Daily Caller News Foundation that it had disclosed its own breach, and several New Hampshire residents who had communicated with Hassan’s office told the DCNF they had not received any notification that their information could be in the hands of bad actors. Records showing Senate offices’ mailings to constituents show none from Hassan.
Digital consumer protection laws require that companies notify victims when their data is breached if the data includes certain sensitive fields, such as Social Security numbers or drivers licenses. When constituents ask Hassan for help with a problem, she has them fill out a privacy waiver form that requires them to give her their SSN.
Peter J. Gonsalves Jr., a New Hampshire veteran who said he has a master’s degree in public administration, said he went to Hassan’s office desperately seeking help after he faced homelessness following problems with the Department of Veterans Affairs.
Hassan’s office has “medical and personal info on me and they have never told me about any breach,” he told the DCNF. The apparent breach was a blow to someone who was already down.
“I suffer from depression. The VA and the government have destroyed my life,” he said.
Tony Woody, a New Hampshire veteran who has blown the whistle about problems at the Manchester VA medical facility, which subsequently became the focus of national news coverage and of federal probes, said he provided evidence about VA wrongdoing that, if leaked, could put him at risk of retaliation.
“That could be me. But I don’t know since I’ve never heard anything,” he said of the group of people affected by the breach. “Maggie got copies of all my evidence. I don’t want that coming out. There was medical stuff in there, personal stuff. She’s going to have to answer some really hard questions.”
He said Hassan was sloppy.
“He was already a convicted felon when she hired him? Why would she do that? This is IT in the U.S. Senate. What is wrong with people?”
Among the stolen data were the home addresses and cell phones of Republican senators, which Cosko published online to intimidate them, he admitted. The Republicans were notified and given the opportunity to send a victim’s impact statement to the judge, but there is no indication that others whose data was compromised were informed.
“Four months of stealing personal emails, info about constituent services, info about literally hundreds of people. That’s what he had organized in his ‘high value’ folders,” prosecutor Demian S. Ahn said in court.
Ahn called it the “largest data breach in Senate history” and said Cosko essentially stole everything. Cosko’s defense attorney acknowledged “when he broke in, he just took everything that was on there.”
Cosko’s plea agreement notes that “the defendant copied dozens of gigabytes of data from computers in Senator Hassan’s Office, including dozens of usernames and passwords belonging to Senate employees, credit card information belonging to Senate employees, social security numbers belonging to Senate employees, personally identifying information (‘PII’) belonging to hundreds of other persons, and tens of thousands of e-mails and internal documents.”
A Republican Senate aide familiar with “casework” — a term used to describe senators’ assistance of constituents — said “hundreds of other persons” likely understates the number of New Hampshire residents affected.
“You get everything, from people winding up on the death list to people not getting their social security check,” the aide told the DCNF.
In court, Cosko tearfully apologized to constituents for the “harm” or “potential harm” he caused, The Washington Post reported.
But Hassan and her office remained tight-lipped throughout the affair.
Hassan sat on the Senate Committee on Commerce, Science, and Transportation, which oversees communications and interstate trade, as well as the Permanent Subcommittee on Investigations, which probed Equifax’s “failures to protect sensitive information.”
Hassan was one of 15 senators in December 2018 who introduced the “Data Care Act,” which would establish “a duty of care for sensitive data and … hold companies accountable when they fall short. The digital space can’t keep operating like the Wild West at the expense of our privacy.”
On top of her November 2017 and October 2018 exchanges, in March 2019, she again “grilled Equifax executives on their company’s negligence in handling the sensitive data of millions of Americans,” as a press release from Hassan’s office put it.
“The New Hampshire statute does not apply under its terms to the U.S. government,” the state’s Associate Attorney General James Boffetti told the DCNF by email.
He declined to point to the legal reference establishing that. The New Hampshire law also requires businesses that expose people’s private data to notify the attorney general’s office.
Hassan’s constituents are in New Hampshire, but others affected, including Senate employees, likely live in D.C., Maryland and Virginia. Those states have similar laws, at least one of which appears to apply to government entities.
Virginia’s law says it covers not only businesses but also “governments, governmental subdivisions, agencies, or instrumentalities or any other legal entity, whether for profit or not for profit.”
According to a chart summarizing state data breach notification laws compiled by Foley & Lardner LLP, Virginia requires “Notice, without unreasonable delay, to any affected resident of Virginia.”
The District of Columbia’s says “If any person or entity is required to notify more than 1,000 persons of a breach of security, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.” It applies to “Any person or entity who conducts business in the District of Columbia.”
Maryland’s says “The notice shall be given as soon as reasonably practicable, but not later than 45 days after the business concludes its investigation.”
Virginia law carries a fine of up to $150,000, while the fine in D.C. is $100 for each violation. In Maryland, it is considered an “unfair or deceptive trade practice” and carries a fine of up to $1,000 per violation.
All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact [email protected].